Skip to main content

Mutual TOTP

Mutual TOTP lets two people verify each other's identity in real time — for example, a help desk agent and an employee confirming they are who they say they are before a sensitive action. Each person uses a SlashID sensor (the browser extension or mobile app), and the sensors exchange time-based one-time codes over an authenticated channel.

Before a sensor can take part in a handshake, the person using it signs in with their corporate identity. This guide shows you how to register a SlashID application in Microsoft Entra ID so your users can authenticate with Entra, and how to provide the resulting credentials to SlashID.

First, you will create an Entra App Registration, add the SlashID redirect URI, grant it the permissions needed to identify the signed-in user, and generate a client secret. Second, you will enter the Application (client) ID and client secret in the SlashID Console.

note

You only ever share the Application (client) ID and client secret with SlashID. Your tenant ID and user data stay in Entra.

Step 1: Create an Entra App Registration

  1. Log in to the Microsoft Entra admin center.

  2. From the menu on the left, select 'Identity' > 'Applications' > 'App registrations'.

  3. From the horizontal menu at the top of the page, choose 'New registration'.

new registration

  1. Enter a name for this app registration, for example SlashID Mutual TOTP.

  2. Under 'Supported account types', choose the option appropriate for your organization.

  3. Under 'Redirect URI', select 'Web' and enter:

    https://api.slashid.com/sensors/auth/callback

  4. Press 'Register' to confirm. Going forward, we'll call this your SlashID App Registration.

register an application

Step 2: Grant permissions

SlashID needs to read the signed-in user's basic profile to identify them during the handshake.

  1. In your SlashID App Registration page, select 'Manage' > 'API permissions' from the side menu.

  2. Choose 'Add a permission', then 'Microsoft Graph', then 'Delegated permissions'.

  3. Add the following permissions:

    PermissionPurpose
    openidSign the user in with OpenID Connect
    profileRead the user's basic profile
    emailRead the user's email address
    User.ReadRead the signed-in user's profile

  4. Press 'Add permissions' to confirm.

add a permission

note

These are delegated permissions that act on behalf of the signed-in user. If your organization requires admin consent, grant it from this page after adding the permissions.

Step 3: Generate a client secret

  1. In your SlashID App Registration page, select 'Manage' > 'Certificates & secrets' from the side menu.

  2. Under 'Client secrets', choose 'New client secret'.

  3. Enter a description and a duration for the new client secret and press 'Add'. We recommend 365 days as the expiry period.

add a client secret

  1. Copy the secret Value and keep it safe — you will need to enter it in the SlashID Console later, and it cannot be retrieved again after you leave this page.

copy secret value to clipboard

Step 4: Obtain the client ID

  1. In your SlashID App Registration page, select 'Overview' from the side menu.

  2. Copy the 'Application (client) ID'. You will need to enter it in the SlashID Console later.

copy client id

Step 5: SlashID Console configuration

  1. Go to the SlashID Console > 'Identity Protection' > 'Configuration' > 'Data sources'.

  2. Open the SlashID Sensors data source.

  3. Fill in the connection details:

    SlashID Console fieldDescription
    Application (client) IDThe client ID obtained in step 4
    Client secretThe client secret obtained in step 3

  4. Save the configuration.

slashid console configuration

Your users can now sign in with their Entra identity from the SlashID sensor and take part in Mutual TOTP handshakes.